Isolating Spam

We have a CentOS server, running Sendmail and ISPConfig as the panel. We recently noticed a huge increase in traffic coming from a phoney yahoo account. The logs show hundreds of emails being sent in a short time.

We are trying to isolate the script, but we have multiple sites running and don't know where to look first.

You will want to track one of the emails from start to finish to determine how it was sent.

I am do not know about ISPconfig panelm but on many systems if it is a web script or form being exploited to send email, the sender's ID will be that of the apache user on the server (for PHP apps) or the site's file owners for cgi-bin apps.

If an user account was hacked, you can often look for higher number of logins or SMTP AUTH connections from the same user by analyzing the log files.